11 July, 2004:
Fishy and chips

Many people will have seen the big publicity campaign for `chip and PIN' authorisation for credit and debit card transactions. This is advertised through a website for the whole scheme, numerous lesserwebsites from individual banks, adverts in the windows of shops which have installed the new equipment, and occasional breathless articles in the press about how `chip and PIN' will stop fraud using the POWER OF TECHNOLOGY!

For those who haven't encountered this spectacular innovation yet, the idea is that, rather than signing a slip when you make a transaction, you type in the same four-digit code you use to withdraw money from a cash machine. (You might imagine this change being motivated by the observation that even trained staff get comparisons of signatures wrong in about 40% of cases, and anyway staff at shops usually don't bother to check the signature on a credit card counterfoil.)

The `chip' part refers to the fact that the scheme can only be used with new `smart' credit cards, which have both a magnetic strip bearing your account number and various other details, and a silicon chip with the same data and some other stuff. The `other stuff' includes the ability to check whether a PIN entered by a user is correct, and to shut down the card if an incorrect PIN is entered three times. It is supposed to be impossible to copy the data off the card's chip, and anyway it is protected by the magic of cryptography. Of course, none of this matters a bit, because the magnetic strip is easy to copy and is the only thing read by a cash machine. So if you want to embark on a lucrative career in cash-card fraud, all you need to do is to get a job in a shop, install a little bit of electronics to record the PINs which customers enter into the `chip and PIN' terminal, and surreptitiously swipe their cards through a magnetic stripe reader. Copy the cards, find a cash machine, and plunder their accounts. (Note how this is much more efficient than traditional credit card fraud which requires the crook to buy goods or services; with `chip and PIN' the dishonest shop assistant can nick actual cash.) Now, criminals are already doing this with auto-tellers, but it'll be even easier with `chip and PIN', since, (as the `chip and PIN' people helpfully point out)

Point-of-sale PIN terminals will be of various shapes and sizes like tills are now.

and so there'll be no way to tell whether the contraption into which you're asked to enter a PIN is a real `chip and PIN' terminal or something cobbled together by a criminal.

Oddly enough, the consumer-oriented propaganda from the `chip and PIN' people doesn't mention any of this. Instead it claims that,

Chip and PIN is the new, more secure way to pay with credit or debit cards in the UK.

Instead of using your signature to verify payments, you will be asked to enter a four-digit Personal Identification Number (PIN) known only to you.

So that's alright then.

You might be wondering how this scheme will make you `more secure', as the above quotation suggests. If so, you need to read it more closely. It's not claiming that `chip and PIN' will make you more secure, as that's not the point of the system. The intention is to reduce losses from banks and merchants resulting from fraud. (It is frequently said that the implementation of `chip and PIN' in France reduced losses resulting from card fraud by 80%.) There are two ways that losses to fraud can be reduced:

by reducing the amount of fraud which takes place; and,

by not paying compensation to people who are defrauded.

I haven't seen any discussion of the French figures in this light (and, of course, the second sort of reduction is pretty hard to measure).

From the point of view of a cardholder, the reason that it's safe to pay for things using credit or debit cards is nothing to do with PINs or chips or cryptography; the reason is that you're insured by your bank against losses. `Chip and PIN' ostensibly doesn't change this; if a criminal obtains your PIN and card number and robs you via an ATM (or obtains your PIN and nicks your card, then uses it to pay for items in a credit card transaction), then you should be insured against the loss. On this theory, `chip and PIN' is a nuisance, but not a financial risk.

Unfortunately, this theory is wrong, not for any technical reason but because banks in the UK have historically been very effective at pretending that their computer systems are secure when they aren't. There are several examples mentioned in Ross Anderson's paper, Why Cryptosystems Fail, (and numerous others in his book, which is well worth reading); sometimes victims are refunded, but often the pattern followed looks like this:

Sometimes, customer appeals against conviction/unfavourable judgment, bank's story is shown to be a pack of lies, and customer is released/compensated after having their life turned upside-down by judicial system.

(There's a list of some of these cases on Mike Bond's web pages about `Phantom Withdrawals', including references to the shocking Munden case and various other miscarriages of justice. It's worth noting that in Bond's list, a case is marked as `resolved' if the courts have reached a decision either way, so `resolved' cases include ones where banks have screwed over customers for thousands of pounds lost because of crap security, and the courts have stood by and done nothing about it.)

In one case Anderson mentions, the bank's defence rested in part on the laughable claim that their computer system could not suffer from bugs because its software ``was all written in assembly language''. With friends like these, who needs enemies? The only mystery is how they've kept card fraud down to only £400 million per year.

And, despite twenty years of ATM fraud, banks are still trying to pull off the `PINs can't be forged' stunt to avoid (a) compensating customers for fraud, and (b) being exposed as completely hopeless. (This doesn't work in the United States, where the courts decided that banks were liable for such losses unless there was actual evidence that the complaining customer was trying to defraud them; see this paper for more on the situation there and here.)

Of course, nobody would try to claim that forging someone's signature is impossible, and if the bank tried to use that as an argument against compensating you for losses from fraud, they'd be laughed out of court. So one consequence of `chip and PIN' is that it will be easier for banks to avoid paying out for losses from fraud, thereby cutting their losses. (I was astonished to hear from a friend that their signature was frequently questioned when they paid for items with a card. Often cashiers draw attention to the fact that my signature written in the large space available on a credit card slip looks completely different to my signature written in the tiny little box on the back of a credit card, but none of them have ever suggested that I'm forging someone else's scribble....)

You'd expect that retailers wouldn't be very happy with a system designed to let banks screw over their customers (who are, as you will recall, `always right'), so the banks have decided to shift liability for fraud onto retailers, in cases where `PIN [sic.] could have prevented fraud' to encourage them to sign up to the new scheme. Since most businesses have lots of customers but only one bank, it's probably rational for them to let a few of their customers get shafted by the banks just to avoid making any trouble.

There is a solution to this problem, in fact: you can ask to be issued a `PIN-suppressed' or `chip and signature' card by your bank; when you use the card in a `chip and PIN' terminal, the terminal will prompt you to sign the slip as usual rather than entering a PIN. When I rang my bank to ask about this, they explained that it was only available to disabled people. While it's nice to see a company offering, in one small way, better service to disadvantaged members of society than to others, this is scant reassurance for those of us who want a good chance of recovering our losses when we become victims of fraud. (Current figures suggest that about one in four bank customers will be victims of ATM fraud at some point in their lives.) So, I've written to my bank (Barclays) to ask for a `PIN-suppressed' card. I'll report on the response, but so far I am not hopeful.